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Abstract 

Web tracking necessitates several complementary approaches. By combining passive and 
active fingerprinting, persistence of tracking identifiers, and unmasking techniques, an effective 
web tracking regimen can be developed. Although powerful new web browser features may 
offer additional opportunity for tracking, the variety of implementations and lack of consistently 
supported feature sets may limit effectiveness. Browser vendors have begun integrating privacy 
protections, but many of the implementations are flawed in ways that may be challenging to 
address without breaking users’ expectations of how the web works. 

Introduction 

Web tracking has never been very popular with users. But it is probably as popular as ever 
with those people who are implementing the tracking to capitalize on vast datasets of user 
information. Many of the most effective approaches have been used by media companies to 
implement behavioral advertising and by social networking companies looking to monetize user 
generated content. In several cases, web users actively volunteer this information. 

Within this context though, there is an overall lack of tools and research into how one goes 
about implementing web tracking for one’s own sites. A great deal of attention is paid to what 
tracking may be implemented “in the wild”, but there is limited emphasis placed on what 
practical mechanisms are actually usable for those people just looking for solutions . 

The research presented in this paper builds upon the long history of web browser weaknesses 
that have allowed for user web tracking. Some of these techniques are well known, some 
are possibly misunderstood, and others have not been explored thoroughly. Where practical, 
an attempt has been made to provide more exhaustive documentation of web browser and 
plugin features and discuss how practical these are for implementing in a tracking server. This 
research should be seen a starting point, not a definitive treatment of a vast topic. 

Implementing and deploying web tracking is based on a series of trade-offs. Browsers are 
constantly integrating new features and, with the rapid release approaches being used by major 
vendors, developing workable solutions is dependent on a number of interrelated factors. The 
most effective techniques are rooted in features that are difficult for browser and plugin vendors 
to address with compromising user experience. For instance, the visited” CSS history 
enumeration took years to address after being reported (and people are still arguing about it). 

Ultimately, an effective tracking solution needs to encompass all facets of information exposed 
by the browser, but care should be taken to avoid relying on user cooperation, deception, 
or outright theft of user information. Those activities are better left as external to the primary 
motivations of user tracking that rely on strictly technical means. 
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Fingerprinting 

Feature Detections in Browsers 

User-agent sniffing is an outdated technique to detect specific features sets. Instead of parsing 
the “navigator.userAgent” value, properties in the browser that are specific to the actual version 
are used. This is the same technique used by modern JavaScript libraries such as “ modernizr ”. 

For example, a basic (and naive) approach could appear as: 

if ("netscape" in window) { 
alert("Firefox"); 

} else if ("chrome" in window) { 
alert("Chrome"); 

} // etc... 

In addition to identifying specific feature sets, it is also helpful to determine if some technological 
means has been put in place to block execution of plugin content in the browser. Although in 
some cases this can be accomplished by simply attempting to load the content, other times it 
can be more challenging. 

For example, a popular Firefox extension is the NoScript add-on. The NoScript add-on has fine¬ 
grained control over JavaScript and plugin execution. In situations where it is not possible to 
execute JavaScript, it could still be beneficial to detect plugin blocking. 

The following example HTML can be used to detect if NoScript blocking is present for a specific 
plugin content-type by making a background-image request based on a specific NoScript style: 

<html> 

<head> 

<style> 

a._noscriptPlaceholder_ { 

background-image:url( 1 /noscript-embed-flash-blocked.png?fefel234'); 

} 

</style> 

</head> 

<body> 

<div style="width: Opx; height: Opx; overflow: hidden; display: block;"> 
<embed type="application/x-shockwave-flash"></embed> 

</div> 

</body> 

</html> 
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Detecting Browser Extensions 

Both FireFox and Chrome promote the development of custom add-ons and extensions by 
developers. These custom browser extensions are created using a variety of mechanisms but 
are primarily based on a certain set of JavaScript components that run with higher privileges 
and use browser-specific conventions to interact with the user. In some cases, it is possible to 
detect the presence of a particular add-on or extension based on browser behaviors. 

Chrome Extensions 

Chrome exposes a pseudo URI for extensions “chrome-extension://”. These URIs are based 
on the ID of extension and can be used to reference content. Each chrome extension has a 

“manifest.ison” file that can possibly be detected , but any suitable content can be used for 
detection. If a specific file and type is loadable, this can be a more powerful detection approach. 


The “ Collusion ” extension for Chrome add-on graphs the requests between third-party sites. It 
can be detected using a similar approach by loading specific content that is exposed: 

chrome-extension://aanlifbpkcplnldliibcbeaplfmcfiap/d3.is 

chrome-extension://aanlifbpkcplnldliibcbeaplfmcfiap/scriPts/vendor/d3.is 


Web Tracking Proof Q detect collusion 
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starting from: http://featurability.com/detect-collusion.html 

user agent reported as: Mozilla/5.0 (Xll; Linux i686) AppleWebKit/536.11 (KHTML, like Gecko) C 
is Chrome 

trying: chrome-extension://ganlifbpkcplnldliibcbegplfmcfigp/content.js 
js error 

trying: chrome-extension://ganlifbpkcplnldliibcbegplfmcfigp/d3.js 

js arrnr ^ 


trying: chrome-extension://ganlifbpkcplnldliibcbegplfmcfigp/scripts/content.js 
window error: Script error. ():0 
js loaded 

trying: chrome-extension://ganlifbpkcplnldliibcbegplfmcfigp/scripts/vendor/d3.js 

js loaded 

finished 

Collusion *was* detected!!! 


Firefox Resource References 

Depending on how the add-on chooses to implement expose certain features, it may be 
possible to detect the add-on. Many add-ons implement a custom resource handler to resolve 
internal resources. The “resource://” pseudo URI can be used to access these values from 
remote content. The “chrome://” pseudo URI may be accessible if the add-on marks the 
reference as explicitly accessible (implicit blocking may itself be detectable). Depending on 
the type of value exported, dynamic script, image or CSS loading could be used to access and 
detect the content. 


For example, the “ Collusion ” add-on graphs the relationships between sites that set third-party 
cookies. The add-on uses the Jetpack SDK and the bootstrap routine in the SDK will register a 
reference to embedded resources using “resource://” URI based on the ID of the add-on. 


From bootstrap.js: 

// Register a new resource "domain" for this addon which is mapping to 
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// XPI's 'resources' folder. 

// Generate the domain name by using jetpack ID, which is the extension ID 
// by stripping common characters that doesn’t work as a domain name: 
let uuidRe = 

/ A \{ ([0-9a-f] {8}-[0-9a-f] {4}-[0-9a-f]{4}-[0-9a-f] {4}-[0-9a-f] {12})\ } $/; 
let domain = options.jetpackID.toLowerCase() 

.replace(/@/g, "-at-”) 

.replace(/\./g, "-dot-") 

.replace(uuidRe, "$1"); 

let resourcesUri = ioService.newURI(URI + ’/resources/’, null, null); 
resourceHandler.setSubstitution(domain, resourcesUri); 
options.uriPrefix = "resource://" + domain + "/"; 

This allows a remote page to reference the resource content based on what is exposed: 


resource://iid1-f9ui2thwoam5aa-at-ietpack/lib/main.is 

resource://jid1-f9uj2thwoam5aa-at-ietpack/collusion/lib/main.js 


Web Tracking Proof of Con... 
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starting from: http://featurability.com/detect-collusion.html 

user agent reported as: Mozilla/5.0 (Xll; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefo 
is Firefox 

t rying: resource://jidl-f9uj 2thwoam5gq-at -j etpack/lib/main.j s 
js error 

trying: resource://jidl-f9uj2thwoam5gq-at-jetpack/data/index-content-script.js 

window error: Error loading script (resource://jidl-f9uj2thwoam5gq-at-jetpack/lib/main.js):1 

js prrnr 


'trying: resource://jidl-f9uj 2thwoam5gq-at -j etpack/collusion/lib/main.j s 
window error: Error loading script (resource://jidl-f9uj2thwoam5gq-at-jetpack/data/index-coi 
window error: Script error. (resource://jidl-f9uj2thwoam5gq-at-jetpack/collusion/lib/main.j 
js loaded 
finished 

i Collusion *was* detected!!! A 


Any add-on that implements a similar bootstrap routine could potentially be detected based on 
resource enumeration. 


Firefox Custom XPCOM 

If a Firefox add-on exposes a custom XPCOM interface, the XPT type information 
can be extracted from the add-on and used to discover the custom type by 
examining “Components.interfaces” rComponent.interfacesl . This is a well known problem and 
is currently unaddressed (Buazilla #429070 ). Additionally, the “Components.interfacesBylD” list 
can be used based on a specific IID value. 

For example, the Greasemonkev add-on implements a custom XPCOM interface type. This can 
be detected by searching for the appropriate IID. 


'gmIGreasemonkeyService' == Components.interfacesBylD['{c5826e20-lcc7- 
Ilda-8cd6-0800200c9a66}’] 

A list of all custom types can be built by extracting type information from each available add-on 
and then performing an exhaustive search based on the IID. 
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Fingerprinting via Plugins 

Plugins offer a deeper level of access to operating specific data than the browser. The following 
charts indicate some of the information that is available to remotely hosted content. Once 
the information is examined in the plugin, it can either be transferred as is using an available 
network transmission mechanism in the plugin or returned via the JavaScript (depending on the 
host container to submit the data). 

A more efficient mechanism may be to generate a fingerprint on the client instead of returning 
the complete list of data. With proper identification and versioning of the fingerprinting method, 
these can be used to capture fingerprints without using excessive bandwidth or resources on 
the server. 

Flash 

Action Script 2 Language Reference http://helD.adobe.com/en US/AS2LCR/Flash 10.0/ 
help.html?content=splash.html 


Version Information 

getVersion() 

Capabilities 

System.capabilities 

Camera names 

Camera.names 

Microphone names 

Microphone.names 

Fonts 

TextField.getFontListQ 


Internet Explorer will also send a “x-flash-version” request header in some circumstances: 

• x-flash-version: 11,2,202,235 

Action Script 3 Language Reference 

http://help.adobe.com/en US/FlashPlatform/reference/actionscript/3/index.html 

http://help.adobe.com/en US/FlashPlatform/reference/actionscriPt/3/index.html? 

filter flashplaver=11.2 


Memory information 

System.totalMemory, System.privateMemory, 

System. totalMemoryNumber 

Capabilities 

System.ime, Capabilities, Accelerometer.isSupported, 
PrintJob.isSupported, Geolocation.isSupported, 
DRMManager.isSupported 

Locales 

LocalelD(LocalelD. DEFAULT), 

StringTools.getAvailableLocalelDNames, 

DateTimeFormatter.getAvailableLocalelDNames, 

Collator.getAvailableLocalelDNames, 

NumberFormatter.getAvailableLocalelDNames, 

CurrencyFormatter.getAvailableLocalelDNames 
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Camera 

Camera.names 

Microphone 

Microphone.names 

Fonts 

Font.enumerateFonts 

Input devices 

Mouse, Multitouch, Keyboard 


Silverlight 

http://msdn.microsoft.com/en-us/librarv/cc838158%28v=vs.95%29.aspx 


Environment information 

System. Environment 

Timezone info 

System.TimeZonelnfo.Local 

Audio Capture 

System. Windows.Media.CaptureDeviceConfiguration.G 
etAvailableAudioCaptureDevices() 

Video Output 

System. Windows.Media. LicenseManagement.VideoOut 
putConnectors 

Video Capture 

System. Windows.Media.CaptureDeviceConfiguration.G 
etAvailableVideoCaptureDevices() 

Fonts 

System. Windows.Media. Fonts.SystemTypefaces() 


Java 

http://docs.oracle.eom/iavase/6/docs/api/ 


Graphics Environment 

GraphicsEnvironment.getLocalGraphicsEnvironment() 

Display devices 

per graphics - getScreenDevices() 

Display modes 

per device - getDisplayModes() 

Fonts 

per graphics - getAIIFonts() 

Network interfaces 

Networklnterface.getNetworklnterfacesQ 


Examples of Java specific user-agents: 

• Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_31 

• Mozilla/4.0 (Mac OS X 10.7.2) Java/1.6.0_31 

• Mozilla/4.0 (Linux 2.6.38-8-generic) Java/1.6.0_31 


Quicktime 

https://developer.apple.eom/librarv/mac/#documentation/QuickTime/Conceptual/ 
QTScriptina JavaScript/bQTScriptina JavaScri Document/QuickTimeandJavaScri.html#// 

apple ref/doc/uid/TP40001526-CH001-SW5 
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Version info 

GetQuickTimeVersion() 

Language 

GetQuickTimeLanguage() 

Connection speed 

GetQuickTimeConnectionSpeed() 

Is professional version registered 

GetlsQuickTimeRegistered() 

Plugin version 

GetPluginVersion() 

Compute component version 

GetComponentVersionQ 


Adobe Acrobat PDF 

https://www.adobe.com/devnet/acrobat/iavascript.html 

http://wwwimaaes.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/ 

reader overview.pdf 


Monitors 

app.monitors 

Plugins list 

app.plugins 

Color profiles 

app.printColorProfiles 

Printer names 

app.printerNames 

Media players 

app.media.getPlayers() 

Printer parameters 

getPrintParamsQ 


Adobe Acrobat PDF ActiveX 

http://stackoverflow.com/auestions/3666839/aet-adobe-reader-version-usina-iavascript 


Version information 


GetVersionsQ 


Internet Explorer 

Client Capabilities information: http://msdn.microsoft.com/en-us/librarv/ 
ms531416%28v=vs.85%29.aspx 


Properties 

clientCaps 

Component information 

aetComoonentVersion / isComoonentlnstalled 
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Tracking 

Web Browser Methods 

The use of various tracking mechanisms supported natively by the web browser is well 
documented. For miscellaneous references and discussions on the current state of usage, see 
the recent paper “ Flash Cookies and Privacy II: Now with HTML5 and ETaa Respawnina ”. 

Cookies 

FITTP cookies are well supported in some form by every major web browser fhtto:// 
en.wikiDedia.ora/wiki/HTTP cookiel . Although the storage space is limited, the standard web 
cookie has the benefit that it will be automatically sent on every web request to servers that 
match the path and domain. This means even in completely passive monitoring scenarios, the 
cookie can still be available to be read by the receiving server. 

Although web security best practices recommend setting the cookie with the HttpQnlv and 
Secure flags, these features are undesirable when implementing web tracking. The goal should 
be to make sure the browser will be sent by the browser in every possible scenario as well as 
being readable by client-side code running within a specific domain. 

Browser Cache 

Web browsers support caching of content set with far-future expiration values. Unless the 
browser’s cache is disabled, the cache history is cleared, or the resource is retrieved using a 
private browsing mode, any content may be stored indefinitely. 

The simplest approach to using the browser cache for tracking purposes is to embed the 
tracking identifier directly in the content and then force it to be cached by setting the appropriate 
headers. By embedding the tracking identifier directly in the content, this allows for any active 
content to gain access to value where it is exposed. 

How this is accomplished and how practical it actually is depends on the type of content. 

Roughly, in order of preference of functionality and usefulness: 

• JavaScript 

• HTML 

• CSS 

In script content, storing an identifier could be as straightforward as embedding a variable and 
then exposing the value as a variable, function or callback. Part of what should be considered 
is how much global variable pollution is acceptable and whether unrelated script content should 
have easy access to the values. 
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// global variable 

var tracking_id = "fefel234"; 

// functional approach 

function get_tracking_id(){return "fefel234";} 

// callback approach 

(function() {if('undefined 1 !=typeof(tracking_id_callback)) 

{tracking_id_callback( n fefel234 n ) }}) () ; 

Or, in HTML, the could be embedded using any practical mechanism. For example, embedded 
as DIV text value: 


<div id="tracking_id">fefel234</div> 

In instances where JavaScript is not currently enabled or executing, this value could be read at 
a future date by referencing the cached HTML file. 

Embedding desired tracking identifiers into cached CSS content can be done in several ways, 
but browser support varies. Specific CSS directives that support cross-site extraction are the 
most beneficial. 

For example, the following CSS constructs could be used to embed a tracking identifier without 
relying on external references: 

#tracking_id { 

font-family: "fefel234" !important; 
background-image: url( 1 data:image/ 
gif;tid=fefel234;base64,ROIGOD...w==’); 

} 

#tracking_id:after { 
content: "fefel234"; 

} 

Then from within JavaScript, the content is read using aetComoutedStvIe . What is accessible 
will be dependent both on browser vendor and versions. For instance, the following shows 
that the “font-family” value is populated with the verbatim value in Chrome, but it is not readily 
available in the Opera browser. 


□ 


_ J □ test css x 

^ 4 C [Q pseudo-flaw.net/t/test-css.html & ^ 

Tue, 10 Jul 2012 17:26:46 GMT: starting from: http://pseudo-flaw.net/t/test-css.html 

Tue, 10 Jul 2012 17:26:46 GMT: background-image: url(data:image/gif;tid=d9b36c8908b048dfa2656606fd32140b.dc4acd449548dld4b8 
Tue, 10 Jul 2012 17:26:46 GMT- rnntnnf ' 

Tue, 10 Jul 2012 17:26:46 GMt T font-family: ' d9b36c8908b048dfa2656606fd32140b.dc4acd449548dld4b859a03aa5a60472 1 \ 

JL 
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These values can be read by additional script or active plugin content and propagated to 
additional client-side storage locations or embedded in network requests. 

The caching of HTML content with embedded tracking identifiers can be improved by adding 
an “ ETaa ” that duplicates the value. This can allow the server to correlate the tracking requests 
and potentially populate cookie values if the user’s cookies have been cleared or expired. The 
use of ETag values for tracking has been used in real world situations to implement “Zombie 
cookies” by Hulu/Kissmetrics rhttp://www.wired. com/business/201 1/07/undeletable-cookie/l and 
Microsoft’s synching with atdmt.com rhttPs://cvberlaw.stanford.edu/node/6715/l . 

In many cases, it is also possible to read the ETag header in XHMLHttpRequst responses from 
CORS requests as long as the appropriate header value for Access-Control-Expose-Headers is 
returned. 


HTML5 Storage 

HTML5 storage has many features that support the ability to store persistent values fhttp:// 
www.html5rocks.com/en/features/storaael . The localStorage object is the most flexible and well 
support in modern browsers. Although other options may offer finer-grained control, these do 
not come without significant drawbacks. Currently, many browsers have missing or prefixed 
implementations based on evolving standards. And when support is available within a specific 
browser, useropt-in may be required. 


For example, attempting to use mozIndexedDB in Firefox generates a user prompt: 


•<i5®' 


j featurability.com/test-indexed-db.html 


Tul 
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This website {featurabilily,com} is asking to store 
data on your computer for offline use. 


Info ITT 
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Obviously, depending on user interaction is undesirable in a remote tracking scenario especially 
if discretion is needed. 


Other storage features may not ever be implemented. Chrome implements the FileSystem API 
rhttp://www.w3.ora/TR/file-svstem-api/1 . but Firefox does not intend to implement the feature 

rhttps://hacks.mozilla.ora/2012/07/whv-no-filesvstem-api-in-firefoxl . Still, this Chrome specific 
feature does support an additional storage mechanism through the use of temporary file 
storage. 


Flash Shared Objects 

Local Shared Object (LSO) 

The use of Flash LSO objects for storage of identifiers for tracking purposes is well established. 
These persistent object can be shared among flash objects loaded from coordinating domains. 

Traditionally, there was not an effective mechanism for browsers to interface with these 
values so clearing cookies and emptying the cache within the browser had no impact on these 
persistent values. This made Flash cookies an attractive choice to store persistent identifiers. 
Adobe has made changes that allow these values to be cleared in the same way as traditional 
cookies and some integration with private browsing modes of the various browsers has been 
implemented. 

An item of note is that the Pepper Flash implementation in Chrome stores the shared objects in 
a separate directory location. For example, on Linux: 


~/.config/google-chrome/Default/Pepper Data/Shockwave Flash/ 
WritableRoot/#SharedObjects/ 


These object files are not shared with other browser instances and may contain separate values 
that are not easily correlated between different browsers. 

Remote Shared Object 

In addition to LSO, Flash also supports the use of remote shared objects using a media server 

rhttp://livedocs.adobe.com/flashmediaserver/3.0/hpdocs/help.html?content=00000100.htmll . 

The remote object supports local persistence which is functionally equivalent to the more well 
known LSO when a third parameter is specified: 

var myRemote_so:SharedObject = (name, uri, _root._url); 

By specifying _root._uri, cooperating Flash objects from the same domain can access the 
stored contents of a locally persisted object. The resulting client-side persistent file ends in “.sor” 

rhttp://livedocs.adobe.com/flashmediaserver/3.0/hpdocs/help.html?content=00000099.htmH . 

Internet Explorer UserData 
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Internet Explorer support limited storage in the “user data” feature available as a behavior. 

http://msdn.rnicrosoft.com/en-us/librarv/rns531424%28v=vs.85%29.aspx 

Silverlight 

Silverlight supports the use of Isolated Storage to store a limited amount of data in a persistent 
format. Similar to Flash shared objects, modern browsers prevent access to these values in 
private browsing mode. 

Adobe Acrobat PDF 

A less well-known feature of Adobe Acrobat is support for persistence of global values in 
JavaScript run from PDF documents. The alobal.setPersistent call will save values that are 
automatically re-populated whenever the document is opened. These values are stored in 
a “glob.js” or “GlobData” file (stored beneath the user’s application data directory), although 
different versions of Acrobat handle the security and scoping of the values differently. 

Because these values can be shared, coordinating documents from the same domain can 
access the values. This allows for the persistent storage of values outside of the browser. 

Java 

The Java runtime implements its own temporary file storage where application, applets and 
other resources are cached after being downloaded. This cache exists outside of any web 
browser and supports forced caching of content with far-future values. 


jj. 
Show 


Java Cache Viewer 


Resources 


m « 



r 





Name 

URL 

Modified 

Expired 


Versi 


m 

Tracker.jar 

http://Peaturability.com/Tracker.jar 

May 10, 2012 

May 10, 2013 




Java applets can either store embedded identifiers or load embedded resource content directly 
from the stored archive. Reading from an archive is more efficient than emitting custom Java 
class files directly. 

For example, to read embedded resource content: 


InputStream is = getClass().getResourceAsStream( M trackingid.txt"); 

BufferedReader br = new BufferedReader(new InputStreamReader(is)); 

String line; 

while ( (line = br.readLine()) != null) { 

response += line; 

} 

The following screenshot shows how the same applet loaded in different browsers. The same 
instance is loaded from the cache, even across the different browser instances. 
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] test java tracker 


Peaturability.cQrm/test-java-trackjer.html 


(! 


j n i t i Q li nod from: http:^ffooturob iIi tj ' .oom^ 1 ^ 
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M test java tracker - Microsoft Internet Explorer 


File Edit View Favorites Tools Help 
Address http://featurability.com/test-java-trackjer.htrml 
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Unmasking 


Background 

This issue has been a constant topic of interest over the years. In many cases, the same 
techniques discussed years ago continue to work with little modifications. Between plugins 
that can make direct socket connections, requests that leak DNS information or external media 
players that do not respect system settings, it is frequently possible to detect the remote IP (or 
username) of web browser users. 

For some relevant background information, see: 

• Metasploit Decloakina Engine (outdated and slightly broken) 

• Unmasking You (Black Hat and DEF CON presentation) 

Occasionally, new web browser features may expose additional attack surface. 

Recent Web Features 

Tor WebSocket Weakness 

An vulnerability related to DNS leakage was identified in the WebSocket support used in the Tor 
Web Browser Bundle, https://bloa.torproiect.ora/bloa/firefox-securitv-bua-proxv-bvpass-current- 
tbbs 


Content Site Policy and CGI Proxies 

The Content Site Policy (CSP) is an attempt to protect websites from a variety of content 
injection issues. The specification is currently in a state of flux. 

In order to facilitate implementation and deployments, a reporting mechanism for violations is 
defined. When a violation is observed, a report is sent to a predefined location. The policy and 
reporting location are transmitted via HTTP response headers. 

The Chrome browser implements support for CSP using the “X-WebKit-CSP” header. Reporting 
of violations is supported, but the URI used does not have to be “same-origin” as the violation 
(this differs from the Firefox implementation where violations must be same-origin). 

Where this is interesting is in the case of CGI proxies that transparently rewrite HTML body 
content, but return HTTP headers unmodified. If the CGI proxy does not modify the headers by 
rewriting external references, then by including an appropriate CSP policy, it is possible to force 
the browser to make an unproxied connection to a server. 

For example, the following screenshots demonstrate this issue in Chrome by requesting a 
resource using the CGI proxy at htto://www. 1 proxv.de. The response contains a “X-WebKit- 
CSP” header that will cause a report violation for an embedded image. This URL is not sanitized 
in the response headers; the Chrome browser will process the violation and make the request 
directly and bypass the CGI proxy. The actual user IP address will be exposed. 
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0 O O GET request to http;//www.lprox)[ ; d&/index.plip?q-aHB.QcDovL3EzZXVkbvlmbGF3Lm5ldC9jL2 . 

previous [ next ] [ action ] 



HTTP/1-1 200 0K 

Date: Wed, 09 May 2012 02:32:42 GMT 
Server: Apache/2,* 2-16 (Debian) 

X-Powered-By: PHP/5* 3-3-7+squeezeB 
Cache-control: no-cache, no-store 

X-Content-Security-Policy-Report-Only: img-src 'none 1 ; report-uri 

http://pseudo-flaw.net/c/csp-test/report-egi/6d6d5315f6e3923a2dc95cf352d29357 


X-WebKit-CSP: img-src ’none'; report-uri 

http://pseudo-flaw* net/c/csp-test/report* egi/6d6d5315f6e3923a2dc9Scf352d29357 

Set-Cookie: flags=2ed; expires=Wed, 06-Jun-2012 02:32:42 GMT; path=/; 
domain=.to>rw- Iproxy-de 

Content-Disposition: inline; filenafne="index2-cgi" 

Content-Length: 2339 
Vary: Accept-Encoding 
Content-Type: text/html 


C © www. 1 p r oxy . d e/m d ex. p h p ?q =a H RO c Do vL 3 BzZXV k by 1 m b G F 3 L m 5 Id C 9j L 2 N z c Cl OZXN 0 L 2 luZG V4M i 5jZ2 k % 3 D& h 1= 


Address : j http://pseudo-flaw.net/c/csp-test/indexZcgi 


Go [go: u p one 


Include Form Remove Scripts Accept Cookies ^ Show Images Show Referer Rotatel3 Base€4 ^ Strip Meta Strip Title 


Raw Headers (217*79*179*55) 

HTTP_REFERER: http://pseudo-flaw.net/c/csp-test/index2.cgi 
HTTP_CONNECTION: close 

HTTP_ACCEPT: text/html, application/xhtml-i-xml, application/xml;q=0.9, V*;q=0.8 

HTTP_USER_AGENT: Mozilla/5.0 (Xll; Linux 1686) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.163 S 
HTTP_H0ST: pseudo-flaw.net 


Generated: 6d6d5815f6e3923a2dc95cf352d29357 


CSP Response (217*79*179*55) 


Request ID: 6d6d5815f6e3923a2dc95cf352d29357 
Remote IP: 50.17.181.9 
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| www. 1 proxy,de/index. phwhat is my ip - Google Se 


^ C © www.google.com/search?sourceid=chrome&ie=UTF-8&q=what- 


+You Search Images Maps Play YouTube News Gmail Docum 


I 


Google what is my ip 


Search 


About 270.000.000 results (0.12 seconds) 


Everything 


C 


Your public IP address is 50 


,17,181.9 3 


- learn more 
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Private Browsing Modes 


Implementation Weaknesses 

Private browsing modes are often subject to implementation weaknesses. These can manifest 
themselves within the browser functionality or in interactions with external plugins. 

Safari 

In Safari 5, when “Private Browsing” is launched, a new browser session is not started which 
introduces a number of weaknesses. For example: 

• page level JavaScript variables are not cleared 

• background JavaScript continues 

• window.name is not cleared 

• window expando properties are not cleared 

So, if Safari private browsing is launched on a given page, that page can simply 
use “ setlntervalO ” to invoke a function to periodically check if cookies need to be repopulated. 
Using a Web Worker would be another possible approach to allow for the execution of 
background script. This is trivially observed in Safari 5 by launching the prime number 
calculation demo and then starting the “Private Browsing” mode -- the background processing 
continues uninterrupted: http://www.whatwa.ora/demos/workers/primes/paae.html . 

Local Connections 

Some extensions offer the ability to initiate local connections between separate plugin instances 
on the same machine. When these communications extend between content running in a 
private browsing session and normal browsing session, it can be used to correlate user activity. 

Inter-browser and Intra-browser Communication with Flash 

Flash supports LocalConnection objects to facilitate communications between different SWF 
files residing on the same computer. As the documentation states, “LocalConnection objects 
can communicate only among files that are running on the same client computer” fhttp:// 

help.adobe.com/en US/FlashPlatform/reference/actionscriDt/3/flash/net/LocalConnection.htmn . 

For private browsing that launches a new browser session, Flash can be used to communicate 
between instances running in the initial browser session and the new private browsing session. 
This can also be used to communicate between separate browser versions if the same Flash 
implementation is used. 

The following screenshot shows a browser that is sending content via several LocalConnection 
objects and multiple browser instances receiving the same value (including some running 
private browsing mode). 
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If a user visits a website (or coordinating websites) with multiple browsers, this can be detected 
through the sending and receiving of Flash methods via LocalConnection. 

However, when disparate versions of Flash are used, the LocalConnection may not function 
across browser versions. For example, Chrome has added an integration with the Adobe Flash 
Pepper API. Future versions of Flash for Linux may be limited to Pepper. In these instances, 
the LocalConnection communication is limited to the same browser version, but can still 
communicate between the private browsing session and normal session. 

Inter-browser and Intra-browser Communication with Silverlight 
The Silverlight runtime supports communication between local instances of Silverlight 
applications rhttp://msdn.microsoft.com/en-us/librarv/dd833063(v=vs.9511 . By using senders 
(LocalMessaaeSenderl and receivers (LocalMessaaeReceiver L messages can be transferred 
between cooperating instances. 
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_ I I Xi 11 v I I 


1 

Coi 



Name Scops: Global 
ReceiverName: receiver 
SenderDoma n: 192.168.47.127 

Res pon se : respo n se : [trackid =1557 2c629a 964752 9f9 6 ea 4cc3d9( 


C SilverlightSender 


^ Q featurability.com ■SilverlightSenderTestPage.html 


me 

fal 

ati 


Message: hello from sender: [trackid =f99ddbe4f7e64f89aQe9767 

Bucton j 

Name Scops: Global 

Message: 

ReceiverName: receiver 

hello from sender: [trackid=f99cdbc4f7e64f89a0eS7671Gb907( 

SenderDomain: featurability.com 

Attempt 1 completed. 

Response: response: [trackid=15572c529a9647529f96ea4cc3d9( 

Response: 


response : [tracki d = 15572c629 a9547 529f96ea4cc3 d 9 Ofd d] 

Message: hello from sender: [trackid=3e9d495a2c55400d96a 3 ec 

ReceiverName: receiver 

NameScope: Global 

RecetverDomaifu: * 

ReceiverName: receiver 


SenderDomatn : featurability . com 


D nnn r o ■ r 0( -nr. r. ■ ff r^Li A - 1 ^ ^ 7 TUr E. 1 Q =, Q G A 7P O Q f Q £ o = .4 r-jr *AtU 


/ Q SilverlightSender 


<- GO featurabiritY.com/SilverlightSenderTe5tPage.htiril 


l Button ! 

Message: 

hello from sender: [trackid = 3e9d495 a 2c55400d96aSea606467 
Attempt 1 completec. 

Response: 

res pon se : [tra cki d = 15572c6 2 9 a9547 529f5 6e a4cc3d9 Ofd d] 
ReceiverName: receiver 
Rees verDomain: * 


The Silverlight implementation has the added benefit that receiver responses are automatically 
supported. 
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Tracking Protection Lists 

Microsoft’s Internet Explorer supports the concept of Tracking Protection Lists (TPU. These lists 
allow for third-party sites to be blocked based on matches against a set of curated lists provided 
by several organizations fhttDs://ie.microsoft.com/testdrive/Browser/TrackinaProtectionLists/ ]. 

When a TPL is installed and enabled, any third party URL content appearing on the list is 
intended to be blocked from being loaded by the browser unless the content is loaded when 
the user navigates to it. In other words, if the URL is served as a first-party resource, it will be 
loaded. 

A tracking protection configuration to block all of the “featurability.com” domain could appear as: 

msFilterList 

# 

: Expires=3 

# block whole featurability.com domain 
-d featurability.com 

This TPL would be loaded based on user acceptance and is stored within the browser. In IE9, 
the TPL functionality is also used to enable Do Not Track headers. 


-on Types 

oolbarsand Extensions 


More Information 


.cce 

rac 


Name: 

Address: 


Name * 


1 Status| Address 


Featurability.com Tracking Pro... Enabled 
Turn nn Dn Not Track nmfpr... Fnabled 


Featurability.com Tracking Protection List 
http:// pse u d o-fla w. n et/tf my .tp I 


File: 

msFiiterList 

# 

: Expires=3 

# block whole featurability.com domain 
-d featurability.com 


http:// pse u d o-fla w. n et, ft/ rny.tp I 
httn: / / \p.. micrnsnft. cn nry testd m.. 


However, there are several possible mechanisms to work around these TPL restrictions. 

One method is to simply navigate the user’s browser to the third-party location. When the page 
is loaded as first-party content, the TPL validation is bypassed. For example, the following 
HTML attempts to load an iframe reference to the blocked content. This should be blocked. 
Then, after a slight delay, the browser is navigated to the same window. 

<!DOCTYPE html> 

<html> 

<head> 

<title>Test TPL Block</title> 

<script type= n text/javascript"> 
function go() { 

setTimeout(function() { 

window.location = "http://featurability.com/id.html"; 

}, 5000); 

} 
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</script> 

</head> 

<body onload =,, go () "> 

<iframe src="http://featurability.com/id.html n x/iframe> 

</body> 

</html> 

When the page content is displayed initially, the request to the blocked content is rejected. 


Q Test TPL Block - Windows Internet Explorer 


w O http: .'/pseudo-flaw .neVt/test-tpl-block.h P i < h ["§"] pt] [~X~| Q 


Test TPL Block 


u 


File Find Disable View Images Cache Tools Validate Browser Mode: IE9 Document Mode: IE9 standards 
Profiler Network 


HTML | 

CSS 

j Console 

Script 

felBlHl 

1. 

Stop capturing 


Go to detailed view 


URL 

Method 

Result 

Type | 

Received | 

Taken 

Initiator | Timings * 


GET 

304 

text/html 

181 B 

15 ms 

navigate 


http: //featurability. com/id. html 


(Aborted) 

D 

OB 

< 1 ms 

<ftame> 











^ Test TPL Block - Windows Internet Explorer 

t v P 'ttp://pseudo-flaw 1 .neb't/test-tpl-block.h ^ | [■®»j |~§"] [^t] [ X ] 

Q Test TPL Block X 

■ 




But, after the delay, the page will be navigated to the location and will bypass the tracking 
protection. 
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Message from webpage 


*j 


File Find Disable Vie 

2b lcc9G3Q2 5a^7191142fb3a8c266b2.2e9 lef 15cff629f3184eQ3c 
! e5c7c57-% 

tandards 

HTML | CSS Const 


bM 






OK 


Although this page simply displays a test message to the user, normally the user would be 
silently redirected back to the original page. 

Another method is to use active content such as Flash, Silverlight or Java plugins to load the 
third-party content. These are not restricted in the same way as normal browser content. 

For example, the following screenshot shows a sample Flash object being loaded IE10 Preview 
Release and bypassing the TPL restrictions applied to the other resources loaded from the 
same domain. 






Q http pseud o-fl aw. net"Vtest-swf.html P T 0 § (J 

Q HelloWorld AS3 

*u 


falseSystem.totalMemory: 17657856 
System.privateMemory: 33247232 
Syste rn tota IM e m o ry N u m b e r: 17657856 


< 

File Find Disable View 

Images Cache Tools Validate 

Browser Mode: IE10 Document Mode; Standards 

HTML CSS 

Console 

Script Profiler Network 

fe a 





9 SEC7114; A download in this page was blocked 
http;//featurability,com/id,css 
U SEC7114: A download in this page was blocked 
http;//featurability,com/ids.js 
Q) SEC7114; A download in this page was blocked 
http;//featurability,com/id „ css 
Q) 5EC7114: A download in this page was blocked 
http://featurability,com/ids.js 


by Tracking 
by Tracking 
by Tracking 
by Tracking 


Protection, 

Protection, 

Protection, 

Protection, 
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f a I s eSyste m .tota IM 0 m 0 ry: 17657356 
Syste m. p rivate M e m 0 ry: 33247232 
System.totalMemory Number: 17657B56 


^__ 


-s m 

itQ-ia m 


ET1 http://pseudo-flaw.netVtest-swf.html P T G § C 

Q HelloWorld AS3 

* 4 


Find Disable View images Cache Tools Validate Browser Mode* IE10 Document Mode: Standards 


S' 

> 

r? x 


HTML CSS Console Script Profiler 


Network 


Search Captured Traffic,,, 


fe B A Stop capturing 


Go to detailed view 


Clear 


URL 

Method 

Result 

Type 

Received 

Taken 

Initiator Timings 

http: //pseudo-flaw. net/t/test-swf, html 

GET 

200 

tex^/html 

1.12 KB 

172 ms 

navigate | 

http : //featurability. com/id. css 


(Aborted) 


OB 

< 1 ms 

<linkrel= 1, style... 

http: //featurability. com/ids Js 


(Aborted) 


OB 

< 1 ms 

<script> 

http : //featurability. com/id. css 


(Aborted) 


OB 

< 1 ms 

<linkrel= 1, style... 

1 http: //featurability. com/HelloWorld. swf 

GET 

200 

application/x-shoc... 

36.62 KB 

219 ms 

Flash 








http: //fpdownload. adobe. com/crossdomai... 

GET 

200 

text/x-cross-donna... 

44SB 

47 ms 

Flash 


Similarly Java and Silverlight content can be loaded by including appropriate crossdomain 
references. 


In IE10 Preview Release, added enhanced support for cross-domain XML requests using 
XMLHttpReauest . Previously, the IE specific XDomainReauest was supported, but it had 
numerous limitations. As shown in the following screenshot, the TPL restrictions are applied 
to XMLDomainRequest, but not requests made using XMLHttpRequest for either the CORS 
preflight or the actual content retrieval. 


( KM 


http://pseu d 0 -f I aw. n etVtest-tp I, htm I P T G § C Q Test TPL Cross Domain 


Mon Jul 9 17:54:56 PDT 2012: starting 

Mon Jul 9 17:55:03 PDT 2012: XDomainRequestU - got error: Unspecified error. 


File Find 

Disable View 

Images 

Cache Tools Validate 

Browser Mode: IE10 Document Mode: Standards 

- r? x 

HTML 

CSS Console 

Script 

Profiler 

Network 



Search Captured Traffic . .. 

p 


fe m a [ Stop capturing Go to detailed view Clear 


URL 

Method 

Result 

Type 

Received 

Taken 

Initiator Timings 

http: //pseudo -flaw. nef/t/test-tpl, html 

GET 

200 

texf/html 

1.75 KB 

218 ms 

navigate 


http: //featurability. com/id. css 


(Aborted) 


OB 

< 1ms 

dink re!="sty4e.,. 


http: //featurability . com/ids . js 


(Aborted) 


OB 

< 1 ms 

<script> 


http: //featurability. com/id. css 


(Aborted) 


OB 

< 1ms 

clink rel= T style... 






OB 




[http : //featurability. com/ids. js 

OPTIONS 

200 

text/plain 

454 B 

156 ms 

CORS Preflight 

D 

Lb ftp: //featurability. com/ids. js 

GET 

200 

text/javascript 

0.97 KB 

109 ms 

XMLHttpRequest 

http: //featurability, com7!3s!j^“ 


(Aborted) 


OB 

< 1 ms 

(Pending.,.) 
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Third Party Cookie Restrictions 

Some web browsers implement cookie restrictions that prevent third party sites from setting 
cookies in the browser. Any content included from the the third party site is prevented from 
setting new cookies or accessing existing cookies unless the user has visited the site (in the 
past) or manually interacted with the site. 

By default, Safari will block cookies from third party sites unless the user visits the site. 
However, once the user visits the site, then any cookies are available and can be accessed or 
read in the future. 


0 


W\ 


i 

ance Bookmarks Tabs RSS AutoFill Security Privacy Extensions Advanced 
Cookies and other website data: Remove All Website Data... 


Block cookies: “ From third parties and advertiser^ 

HO Never 

Limit website access to location services: Prompt for each website once each day 

O Prompt for each website one time only 
Deny without prompting 


There are several possible approaches to bypassing these restrictions. 

If there is a technical vulnerability in browser implementation, it may be possible to set cookies 
directly. For example, the Safari restrictions on third party cookies were able to bypassed using 
a automatic form post to the third party site. 

But as seen with bypassing IE TPL restrictions, navigating the current browser to the third-party 
site is sufficient to set the required cookies. 

<!DOCTYPE html> 

<html> 

<head> 

<title>Navigate 3rd Party</title> 

<script> 

var display; 

function log(message) { 

display.innerHTML += (new Date()) + ”: " + message + "\n"; 

} 

function init() { 

display = document.getElementByld("display"); 
log("starting from: " + document.location); 

} 

function go() { 

setTimeout(function() { 
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window.location = "http://featurability.com/go-back.html"; 

}, 5000); 

} 

</script> 

</head> 

<body onload="init(); go();"> 

<iframe src="http://featurability.com/stored-info.html" width="90%"></ 
iframe> 

<div id="display" style="white-space: pre; font-family: courier 
new;font-size: smaller;"></div> 

</body> 

</html> 

When this page is loaded, no third-party cookie is set. 



I Mo 
| Mo 


Mon Jul 09 2012 21:09:32 GMT-0500 
Mon Jul 09 2012 21:09:32 GMT-0500 


(Central Daylight Time): starting from: 
(Central Daylight Time) : coolcies= 


http: / /featurability.com/stored-info. 


3 


Mor. Jul U y 2U.2 2.!U9 ! 32 ol’ll-USUU ntjflLldl LldyiltJllL lllLdJ ! 9LUldgd-LillltjiilltjU 


A _I A 

Mon Jul 09 2012 21:09:32 GMT-0500 (Central Daylight Time): starting from: http://pseudo-flaw.net/tZnavigate-3rdparty.html 


The HTML will navigate the browser window and set the needed cookie. 

^ | ► | I + □ http://pseudo-flaw.neyynaYiflate-3rdparty.html 


C} Google 


D- 



Mon Jul 09 2012 21:09:54 GMT-0500 (Central Daylight Time): starting from: http://pseudo-flaw.net/t/navigate-3rdparty.html 


There is also probably a number of variations on this approach. For example, by modifying the 
previous script to open a popup window with the third party site, the cookies will also be set. 

var topw, iframeO; 
function go () { 

iframeO = document.getElementById("iframeO"); 
setTimeout (function () {popupO;}, 5000); 

} 

function popupO { 
try { 

var a = document.createElement("a"); 

a.href = "http://featurability.com/id.html"; 

a.target = "_xxx"; 

document.body.appendChild(a); 
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false 


var evt = document.createEvent("MouseEvent"); 

evt.initMouseEvent("click", true, true, window, 0, 0, 0, 0, 0, 
false, false, false, 0, null); 
a.dispatchEvent(evt); 
setTimeout(function() { 

topw = window.open('javascript:self.close()', ’_xxx f ); 
topw.close(); 

iframeO.contentWindow.location = iframeO.src; 

}, 1000); 

} catch (e) {log('error: ’ + e.message);} 

} 

The popup is opened and then closed. In the process, the cookie is set. 


e o o 

Popup 3rd Party 


i <1 ► | | + n http://Dseurio-flaw.net/t/Dopup-3rdparty.html 

C ldQj Google 

PQ iiii Apple Yahoo! Google Maps YouTube 

Wikipedia 



Mon Jul 09 2012 21:32:02 GMT-0500 (CDT): 
Mon Jul 09 2012 21:32:02 GMT-0500 (CDT): 

starting from: http://£eaturabil 
cookies^ 

ity.com/stored-info.html 


Mon Jul 09 2012 21:32:02 GMT-0500 (CDT): starting from: http://pseudo-flaw.net/t/popup-3rdparty.html 





Popup 3rd Party 


Q 

IOOO 


http://featurability.com/id.html 


* 

H H 

+ 0 http://featurability.com/id.htmi 


X | Google 

i- 


iiii Apple Yahoo! Google Maps YouTube 

Wikipedia 



Me 



http://featurability.com 


94abbl0dc29240albl3e8aad39e89d83.6f9e305de92 
68a7d55 56efOf99B71607 


I_OK_I 


© o o 

Popup 3rd Party 

| < ► | | + nhttp://pseudo-flaw.net/t/popup-3rdpartv.html C ! (Qr Google 

pp iiii Apple Yahoo! Google Maps 

YouTube Wikipedia 

Mon Jul 09 2012 21:32:17 GMT-0500 
Mon Jul 09 2012 21:32:17 GMT-0500 

(CDT): starting from: http://featurability.com/stored-info.html 

(CDT) : cookies-trackid=*94abbl0dc2 9240albl3e8aad39e89dfl3.6f9@305de9268a7d555 

Mo ci Jill U9 3U12 21! 52 ! 17 Gltll—U5UU 



Mon Jul 09 2012 21:32:02 GMT-0500 (CDT): starting from: http://pseudo-flaw.n@t/t/popup-3rdparty.html 


Internet Explorer offers a custom setting for blocking of third-party cookies. 
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As with the previously discussed TPL bypass, navigating the IE browser to the third-party 
location will set the cookie. 

Third Party Cookie Alternatives 

Assuming that third-party cookies can be completely blocked, modern browsers offer a powerful 
alternative based on the localStorage and postMessage . This is the approach taken by 
site to maintain authentication across multiple sites (e.g., XAuth . Stackoverflow’s authentication . 
http://kevinmontrose.com/2011/09/26/disablina-third-partv-cookies-doesnt-meaninafullv- 

improve-privacv/). 

For example, the following HTML content could be used to store an identifier using 
localStorage and then communicate the value to any parent page that loaded it by using 

postMessage. 

<html> 

<body> 

<script type= n text/javascript"> 

(function(){ 

if (Iparent || !parent.postMessage) { return ; } 

var w = window; 

var tid = "fefel234"; 

var utid = tid, ltid = null; 

try { 

ltid = localStorage["tid"]; 

if (!ltid || ltid == "null" || ltid == "undefined") { 
localStorage["tid"] = tid; 
ltid = null; 

} 

} catch (e) { } 

if (ltid) { 
utid = ltid; 

} 

var cb = function(event) { 
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var rtid = (event, data | | "") . toStringO; 

alert('rtid='+rtid+'\nutid=’+utid+ 1 \ntid='+tid+’\nltid= 1 +ltid); 

}; 

if (w.addEventListener) { 

w.addEventListener("message", cb, false); 

} else { 

w.attachEvent("onmessage", cb); 

} 

parent.postMessage(utid, " * ") ; 

}) () ; 

</script> 

</body> 

</html> 

Any page that wished to communicate with this content could import a JavaScript routine that 
register for the expected messages. The following implementation also stores any received 
values in a first-party cookie that is decorated with the name of the remote origin domain. 

(function () { 

try { 

var w = window, d = document; 
var cb = function(event) { 

try { 

var tid = event.data.toString(), ctid = null; 

var cleaned = event.origin.toString().replace(/\W+/g, '_'); 

if (document.cookie) { 

var lookup = cleaned + f _tid= f ; 

var cookies = document.cookie.toString(); 

var content = null; 

var n = cookies.indexOf(lookup); 

if (n >= 0) { 

var content = cookies.slice(n+lookup.length); 
n = content.indexOf(';'); 
if (n >= 0) { 

content = content.substring(0, n); 

} 

ctid = unescape(content); 

} 

} 

document.cookie = cleaned + '_tid='+ escape(tid) 

+';path=/;expires^'+(new Date(1666666666666)).toGMTString(); 

event.source.postMessage(ctid, event.origin); 

} catch(e){} 

}; 

if (w.addEventListener) { 

w.addEventListener("message", cb, false); 

} else { 

w.attachEvent("onmessage", cb); 

} 

var i = d.createElement("iframe"); 
i.heigth = i.width = 0; i.frameBorder = 0; 
i.top = i.left = "-1234px"; 

i.src = "//featurability.com/lstorage.html"; 
d.body.appendChild(i); 

} catch (e) {} 

}) () ; 
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The following screenshots show the use of localStorage and postMessage to persist an 
identifier across domains in the older Mobile Safari on iOS 4 after cookies have been cleared. 


The most recent Safari 5 on the latest iOS clears bothpersistent local storage and cookies. 
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Do Not Track 


Do Not Track 

The Do Not Track (“DNT”) header is supposed to be an opt-in indicator that a user does not 
want to be “tracked”. First implemented in Firefox, other browsers are slowly adding support and 
online advertisers are pledging limited support (unless it conflicts with their respective business 
models). There is considerable discussion about if it serves any purpose, although a W3C 
standard is being developed rhttp://www.w3.ora/TR/trackina-dnt/1 . 

The DNT header does enforce any tracking protection and is not a technical control. It is similar 
to how the “Accept-Language” can be used to indicate a preference, but there is no actual 
restriction placed on the response. The remote server must be configured to respect the header. 

DNT Header Weakness in Firefox XMLHttpRequest 

The Firefox implementation is subtly flawed, because client-side script can remove the header 
value in submissions ( Bug #7514521 For example: 


var xhr = new XMLHttpRequest(); 

xhr.open("GET", "http://tracker.example/", false); 
if (navigator.doNotTrack) { // not a boolean 
xhr.setRequestHeader("DNT", null); 

} 

xhr.send() 

If the case of cross-domain requests, a preflight request will be made, and an appropriate 
CORS response can be returned. This response can be future cached using the “Access- 
Control-Max-Age” header to limit round trips. 

DNT Header in Plugins and Non-HTTP Protocols 

There are some rather obvious shortcomings related to the DNT header in plugins and protocols 
that do not support HTTP headers. The W3C tracking draft specification alludes to the potential 
issues in a couple of sections: 

4.4 Plug-In APIs 

4.5 Tracking Preference Expressed in Other Protocols 

Without significant effort, it is unlikely that protocols such as FTP or binary Flash 
communications will be enhanced to support the use of a DNT header. And unless an actual 
client-side restrictions are put in place, the DNT header is likely to be ignored. 
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Tracking Server 

In order to support communications from plugins, modern web-browser requests, and tracking 
and unmasking several protocols need to be implemented in a tracking server. 

Protocols 

Several specific protocols and services should be configured to provide support for web 
requests and plugin requests. Which protocols depend on the specific scenario that is being 
utilized. 

For example: 

• DNS (tcp/53, udp/53) 

• FTP (tcp/21) 

• HTTP (tcp/80) 

• HTTPS (tcp/443) 

• Flash Policy Server (tcp/843) 

• Silverlight Policy Server (tcp/943) 

• RTMP (tcp/1935) 

• XML sockets (arbitrary tcp >1024) 

Additional specialized web requests and protocols should be supported as needed. 

Plugins 

Due to cross-domain restrictions, plugin content often depend on specialized policies. To 
support the greatest number of possible scenarios, it is important to be overly permissive. If 
these policies were used in a normal production web server, the applications hosted on the 
server would be opened to critical vulnerabilities. 

Flash 

To support web URL requests from Flash (such as LoadVars), a permissive “crossdomain.xml” 
should be implemented and be available from the root web directory: 

<?xml version="1.0"?> 

<cross-domain-policy> 

<allow-access-from domain="*" /> 

<allow-http-request-headers-from domain="*" headers="*" /> 
</cross-domain-policy> 


To support binary communications, a policy server needs to be implemented. This should run 
on port 843. A permissive policy file should be used: 

<?xml version="1.0"?> 

<cross-domain-policy> 

<site-control permitted-cross-domain-policies="master-only"/> 
<allow-access-from domain="*" to-ports="*" /> 

</cross-domain-policy> 


Java 

Java network connections depend on a number of factors. For web URL requests, 
an “crossdomain.xml” file is needed and, any DTD declarations should be excluded to prevent 
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unneeded network requests (Java blindly fetches any DTD referenced). 
Older Java versions only recognized the most rudimentary format: 

<?xml version^"1.0"?> 

<cross-domain-policy> 

<allow-access-from domain="*" /> 
</cross-domain-policy> 


More recent versions appear to support the same values as Flash, but this should not be 
depended upon. 

To establish binary socket communications, several items are considered before allowing the 
connection: 

• location of where the applet was loaded from 

• does the PTR record for the domain name match? 

• complicated reverse auth DNS validations 

• version of the Java plugin (revision and NextGen versus legacy) 

• presence of crossdomain.xml file 

• the destination port of the connection attempt 

Some of these validations are to prevent DNS rebinding attacks or unexpected requests against 
virtually hosted content. Unfortunately, that can make it challenging to rely upon Java for binary 
socket connections across of all possible configurations. 

Silverlight 

The Silverlight runtime uses a “clientaccespolicy.xml” to control URL requests and expects it to 
appear at the root of the website. Additionally, to support binary communications, a policy server 
needs to be implemented on port 943. 

An permissive file will allow most types of connections and scenarios: 

<?xml version="1.0" encoding ="utf-8"?> 

<access-policy> 

<cross-domain-access> 

<policy> 

<allow-from http-methods="*" http-request-headers="*"> 

<domain uri="*" /> 

<domain uri=”http://*" /> 

<domain uri="https://*" /> 

</allow-from> 

<grant-to> 

Cresource path="/" include-subpaths="true" /> 

</grant-to> 

</policy> 

<policy> 

<allow-from> 

<domain U ri="*" /> 

</allow-from> 

<grant-to> 

<socket-resource port="4502-4534" protocol^"top" /> 

</grant-to> 

</policy> 
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</cross-domain-access> 
</access-policy> 
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Additional References 


Storage and Persistence 

http://www.html5rocks.com/en/tutorials/indexeddb/ 

https://developer.mozilla.org/en/lndexedDB/ 

https://developers.aooale.com/chrome/whitepapers/storaae 

http://www.w3.ora/TR/webdatabase/ 

http://hacks.mozilla.org/2012/02/storina-imaaes-and-files-in-indexeddb/ 
http://kevinmontrose.com/2011/09/26/disablina-third-partv-cookies-doesnt-meaninafullv- 

improve-privacv/ 

https://hacks.mozilla.org/2012/03/there-is-no-simple-solution-for-local-storaae/ 
https://bloas.msdn.eom/b/ie/archive/2012/03/21/indexeddb-updates-for-iel 0-and-metro-stvle- 

apps.aspx?Redirected=true 

http://klanauedoc.hubpaaes.com/hub/How-To-Use-HTML5-File-Svstem-Access-API 

http://www.w3.ora/TR/file-svstem-api/ 

http://www.html5rocks.com/en/tutorials/appcache/beainner/ 

https://developer.mozilla.ora/en/DOM/window.naviaator.mozlsLocallvAvailable 

http://webreflection.bloaspot.com/2012/06/asvnchronous-storaae-for-all-browsers.html 

http://www.w3.ora/TR/file-svstem-api/ 

http://www.html5rocks.com/en/tutorials/file/filesvstem/ 

http://diveintohtml5.info/storaae.html 


Privacy and Tracking Protection 

https://bloas.msdn.eom/b/ie/archive/2010/12/07/ie9-and-privacv-introducina-trackina-protection- 

v8.asox 

http://windows.microsoft.com/en-US/internet-explorer/products/ie-9/features/trackina-protection 

https://www.torproiect.ora/torbutton/en/desian/index.html 

http://www.w3.ora/TR/trackina-dnt/ 
www.w3.ora/2011/track-privacv/papers/Yahoo.pdf 

http://www.ftc.aov/os/2012/03/120326privacvreport.pdf 

http://www.whitehouse.aov/the-press-office/2012/02/23/we-can-t-wait-obama-administration- 

unveils-blueprint-privacv-bill-riahts 

https://bloa.torproiect.ora/bloa/improvina-private-browsina-modes-do-not-track-vs-real-privacv- 

design 

https://wiki.mozilla.org/Securitv/Anonvmous Browsing 

http://answers.microsoft.com/en-us/ie/forum/ie9-windows vista/how-to-set-internet-explorer-9- 

to-start-in/d706fa5d-7d76-e011 -8dfc-68b599b31 bf5 
https://ie.microsoft.com/testdrive/Browser/DoNotTrack/Default.html 

http://msdn.microsoft.com/en-us/librarv/hh273399(v=vs.851.aspx - Creating and Hosting TPLs 


Plugins and Protocols 

http://support.aooale.com/chrome/bin/topic.pv? 

hl=en&topic=1678462&parent=1678463&ctx=topic 

https://www.adobe.com/devnet/acrobat/iavascript.html 
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httD://livedocs.adobe.com/flex/3/DroaAS flex3.pdf 

httDs://develoDer.aDDle.com/librarv/mac/#documentation/QuickTime/ConceDtual/ 

QTScriPtina JavaScriDt/bQTScriDtina JavaScri Document/QuickTimeandJavaScri.html#// 

apple ref/doc/uid/TP40001526-CH001-SW5 

https://www.adobe.com/devnet/flashplaver/articles/socket policy files.html 

https://www.ietf.ora/rfc/rfc2246.txt - The TLS Protocol Version 1.0 
https://www.ietf.org/rfc/rfc959.txt - FTP 
https://www.ietf.org/rfc/rfc1Q35.txt - DNS 

https://www.adobe.com/devnet/articles/crossdomain policy file soec.html 
http://msdn.microsoft.com/en-us/librarv/cc197955%28v=vs.95%29.aspx - Making a Service 
Available Across Domain Boundaries 

http://help.adobe.com/en US/as3/dev/WSb2ba3b1 aad8a27b0-181 c51321220efd9d1 c- 

8000.html#WS5b3ccc516d4fbf351 e63e3d118a9b90204-7cfb - Flash Sockets 
https://www.torproiect.org/proiects/tordnsel.html.en 

http://www.silverliohtshow.net/items/Cachino-of-in-and-around-vour-Silverlioht-application-part- 

1 .aspx 

http://help.adobe.com/en US/AS2LCR/Flash 10.0/help.html? 

content=Part2 AS2 LangRef 1.html 
http://livedocs.adobe.eom/flex/3/html/help.html? 
content=17 Networking and communications 4.html 
https://support.apple.com/kb/DL762 - QuickTime 7.6 for Windows 
https://developer.apple.eom/librarv/mac/#documentation/QuickTime/RM/Fundamentals/ 

QTOverview/QTOverview Document/QuickTimeOverview.html#//apple ref/doc/uid/ 

TP30000992-CH1g-QuickTimeOverview 

https://developer.apple.eom/librarv/mac/#documentation/Networkinglnternet/Conceptual/ 

StreaminoMediaGuide/Introduction/Introduction.html 

http://wiki.pcbsd.org/index.php/Java. Flash, and Fonts 

http://livedocs.adobe.eom/flashmediaserver/3.0/h pdocs/help.html?content=00000100.html 

http://msdn.microsoft.com/en-us/librarv/cc645032(v=vs.951.aspx - Network Security Restrictions 
in Silverlight 

http://msdn.microsoft.com/en-us/librarv/cc296248(v=vs.951.aspx - Silverlight Sockets 
http://help.adobe.com/en US/as2/reference/flashlite/ 

WS5b3ccc516d4fbf351e63e3d118cd9b5f6e-78c7.html - Flash LoadVars 
http://help.adobe.com/en US/AS2LCR/Flash 10.0/help.html? 

content=Part2 AS2 LangRef 1.html - XMLSocket 
https://en.wikipedia.org/wiki/Real Time Messaging Protocol 
http://docs.oracle.eom/iavase/6/docs/api/iava/net/URLConnection.html 

http://msdn.microsoft.com/en-us/librarv/ 

svstem.windows.messaoino.localmessaoereceiver.anvdomain(v=vs.95’) - Silverlight AnyDomain 
http://msdn.microsoft.com/en-us/librarv/dd920295(v=vs.95Laspx - Silverlight Client HTTP 
http://msdn.microsoft.com/en-us/librarv/cc838250(v=vs.95Laspx - Silverligth Security 
http://timheuer.com/blog/archive/2008/09/24/silverlight-isolated-storage-caching.aspx 

http://msdn.microsoft.com/en-us/magazine/dd434650.aspx - Managing Dynamic Content 
Delivery In Silverlight, Part 2 


Web Browser Features and Fingerprinting 

http://msdn.microsoft.com/en-us/librarv/ie/ms531416%28v=vs.85%29.aspx - clientCaps 
http://blogs.msdn.eom/b/ie/archive/2012/03/02/web-platform-features-in-windows-consumer- 

preview.asox 


36 














































httDs://ie.microsoft.com/testdrive/lncludes/Script/FeatureDetection.is 

http://lcamtuf.coredump.cx/pQf3/ 

http://finaerprint.pet-portal.eu/?menu=1 

http://ha.ckers.org/mr-t/mr-t.cai 

http://ip-check.info/ 

http://anon.inf.tu-dresden.de/help/iap helo/en/help/securitv test.html 

http://flippinatvpical.com/ - CSS Font enumerations 

http://msdn.microsoft.com/en-us/librarv/ie/ms535922%28v=vs.85%29.aspx - addBehavior 
http://msdn.microsoft.com/en-us/librarv/ms531355%28v=vs.85%29.aspx - IE Components 
https://developer.mozilla.ora/en/DOM/The structured clone algorithm 
http://www.w3.Org/TR/html5/common-dom-interfaces.html#safe-passina-of-structured-data 

https://developer.mozilla.org/en/DOM/window.historv 

https://developer.mozilla.ora/en/DOM/window.postMessaae 

http://www.whatwa.ora/demos/workers/primes/paae.html 

https://developer.mozilla.ora/En/Usina web workers 

http://www.html5rocks.com/en/tutorials/workers/basics/ 

http://webpolicv.ora/2012/02/17/safari-trackers/ 

http://bloa.kotowicz.net/2012/02/intro-to-chrome-addons-hackina.html 

http://www.scatmania.ora/2012/04/24/visitor-trackina-without-cookies/ 

https://dvcs.w3.ora/ha/content-securitv-policv/raw-file/tip/csp-specification.dev.html 

http://www.w3.Org/TR/DOM-Level-3-Core/core.html#DOMFeatures 

http://stackoverflow.com/auestions/2281613/how-do-i-detect-the-difference-between-adobe- 

acrobat-versions-hiaher-than-8-in-n 

http://modernizr.eom/docs/#features-css 

https://bloa.torproiect.org/bloa/firefox-securitv-bua-proxv-bvpass-current-tbbs 

http://www.w3.ora/TR/cors/ - Cross Origin Resource Sharing 
http://www.howtocreate.co.uk/operaStuff/operaObiect.html 

https://trac.webkit.org/wiki/PrefixedAPIs 

http://www.matthewratzloff.com/bloa/2007/Q6/26/detectina-pluains-in-internet-explorer-and-a- 

few-hints-for-all-the-others/ 

http://msdn.microsoft.com/librarv/ie/hh673549.aspx 

http://www.w3.ora/TR/css3-mediaaueries/ 

https://developer.mozilla.ora/en/Securitv/CSP/CSP policy directives 
http://msdn.microsoft.com/en-us/librarv/ms537509%28v=vs.85%29.aspx - Detecting IE 
https://bloas.msdn.eom/b/aioraio/archive/2009/04/14/how-to-detect-ie8-usina-iavascript-client- 

side.aspx?Redirected=true 

https://en.wikipedia.ora/wiki/List of tvpefaces#Unicode fonts 

http://www.w3.ora/TR/P3P/ 

Software 

https://aithub.com/facebook/tornado 

https://github.com/chr15m/pvPdf/tree/ae4a7bb94f998f9a320129ca289bd552efa2d76c 

https://code.aooale.eom/p/rtmplite/ 

http://sourceforae.net/proiects/pvdns/files/pvdns/pvdns-2.3.6/pvdns-2.3.6.tar.az/download? 

use mirror=iweb 
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